Bookmark this page to keep up with everything DPF! Please suggest new resources on the LinkedIn article (where you can also see some nice diagrams/illustrations shared to our community).
Newest resources
- July: US DPF website: Key Requirements for DPF Program Participating Organizations
- Sep: iapp article: PCLOB report further divides FISA Section 702 reauthorization talks πΏ
- Aug: iapp shares a great infographic of steps for implementing the DPF across multiple European jurisdictions:
10 July 2023: DPF approved!
The European Commission (EC) has now adopted its adequacy decision for the EU-US Data Privacy Framework, concluding that the United States ensures an adequate level of protection β comparable to that of the European Union β for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.
Note that the adequacy is for certified US companies and not the entire country.
β Max Schrems have already stated that they (noyb) will challenge the new framework, so keep in mind that the DPF might not survive that CJEU round either. (And, the US is just one territory - we still have to do TIAs and supplementary measures for other third countries...)
Key resources (as of 15 July, more to come):
πͺπΊ From the EU
- 19 July EDPB's press release with link to their DPF information note.
- 10 July Press release: European Commission adopts new adequacy decision for safe and trusted EU-US data flows.
- Download the actual implementing decision here: Adequacy decision for the EU-US Data Privacy Framework.
- 10 July Q&A (web, also see print friendly PDF at the end of the page).
- 10 July Factsheet β EU-US Data Privacy Framework.
- 10 July Press conference with Commissioner Didier Reynders.
- The EC's page on Adequacy decisions.
- The EC's page on the International dimension of data protection: how personal data transferred between the EU and US is protected for both the Commercial sector and Law enforcement cooperation (this page links to many of the links already listed here).
πΊπΈ From the US - and for US-based companies
Like before, US companies can certify for the DPF by committing to comply with a detailed set of privacy obligations published on the certification website (live on 17 July). Note that the DPF currently only applies to US companies.
Those already certified under the Privacy Shield will receive information from their certification partners about next steps, but in short you're expected to update your privacy policy (within three months) and otherwise be able to comply with the DPF principles (which are, by large, the same as before).
π₯ Also check out the LinkedIn event with Caitlin Fennessy (IAPP) and Alex Greenstein (Director DPF, U.S. Department of Commerce): The DPF in practice where they also addressed some key questions.
πΊπΈπ¬π§ On 8 June, the UK and US agreed a "UK Extension" to the DPF, allowing certified US companies to also process UK personal data under the framework. This is contingent on adequacy being granted from both the US and UK governments (expected in not too long). Also note that this is only a "data bridge" and not a stand-alone framework as the Swiss one.
πΊπΈπ¨π On July 10, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced "well advanced" discussions with the US and we expect adequacy to be granted once the new Swiss data protection legislation takes effect on 1 September.
Relevant links:
- To certify visit the certification website (live on 17 July).
- 17 July Press release U.S. Departments of Commerce and Justice and the European Commission Reaffirm Shared Values, Welcome Finalized EU-U.S. Data Privacy Framework.
- 10 July Statement from President Joe Biden on EU Adoption of Adequacy Decision for U.S.-EU Data Flows.
- 10 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework.
π From noyb & Max Schrems
- 10 July noyb's reaction to the DPF announcement: New Trans-Atlantic Data Privacy Framework largely a copy of "Privacy Shield". noyb will challenge the decision.
Various, including SA press releases and guidance:
- 18 July iapp article A guide to the attorney generalβs finding of 'reciprocal' privacy protections in EU ("qualifying states").
- πͺπΊ The EDPB has so far only tweeted that "In the next few weeks the EDPB will develop an information note for stakeholders on the implications of the DPF".
- π³π΄ Datatilsynets spΓΈrsmΓ₯l og svar.
- π©π° Datatilsynets spΓΈrgsmΓ₯l og svar.
- πΈπͺ Integritetsskyddsmyndigheten (IMY) has just posted a simple note.
Got other relevant links? Please share with me on LinkedIn!
Archive links 2022-2023
- πΊπΈ 3 July Statement from U.S. Secretary of Commerce Gina Raimondo on the European Union-U.S. Data Privacy Framework.
- πΊπΈ 20 June U.S. Department of Justice Memorandum in Support of Designation of the European Union and Iceland, Liechtenstein and Norway as Qualifying States Under Executive Order 14086 (PDF direct link).
- πͺπΊ 25 March Factsheet β Transatlantic Data Privacy Framework.
- πΊπΈ 25 March Fact sheet from the White House: United States and European Commission Announce Trans-Atlantic Data Privacy Framework.
- π 13 December noyb's reaction to the Draft adequacy decision: Statement on US Adequacy Decision by the European Commission.
- πͺπΊ 13 December Press release: Commission starts process to adopt adequacy decision for safe data flows with the US.
- πͺπΊ 13 December The actual Draft adequacy decision.
- πͺπΊ 13 December Q&A on the Draft adequacy decision.
- πͺπΊ 7 October Q&A (web, also see handy PDF at the end of the page).
- πΊπΈ 7 October Statement on the Executive Order from the U.S. Secretary of Commerce.
- πΊπΈ 7 October Fact sheet from the White House: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework.
- π 7 October noyb's first reaction and summary: Executive Order on US Surveillance unlikely to satisfy EU law.
- π 7 October Direct download (PDF) to noyb's structured (very helpful!) version of the Executive Order with bookmarks down to layer 3.